Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Critical System Protection and how is it different from Symantec Endpoint Protection

Created: 19 Feb 2012 • Updated: 18 Apr 2012 | 3 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+19 19 Votes
Login to vote

 

Symantec Critical System Protection and how is it different from Symantec Endpoint Protection

 

Lately there have been many inquiries why we need SCSP when we have SEP and what is the Difference between SCSP and SEP or why should people buy SCSP.

1.       SCSP has Comprehensive Host Intrusion Prevention policies whereas Sep has focused HIPS Policies.

2.       SCSP has better control over Applications whereas in SEP Application control it is limited.

3.       SCSP has more control over Device you can block devices for Application, users or Groups but in SEP you can either block or Unblock a Device.

4.       SCSP gives priority to specific application than general rules however in SEP precedence is based on sequence of the policy.

5.       SCSP focuses on Zero-day Exploits and in Depth Application Control, SEP is focused on USB control and blocking an application.

6.       Most Importantly here are things we cannot do  with SEP but only using SCSP for better Prevention and Detection:

 

 

•          Prevention

–      Windows Exploit Protection

•          Windows Buffer Overflow protection

•          Thread Injection protection

•          Block executable file changes, OS changes,

–      Sophisticated Prevention policies

•          Broad zero day protection - would require man-years to build from scratch

•          Protection covers all applications – even ones not identified in the policy already

–      Fine-grained control over USB and External Device usage

•          Usage control by program, user, group, arguments or combination of the above

•          e.g. Backup Exec to write to a CD-Writer – all other programs can only use as a CD-ROM

–      User override of System Lockdown

•          Admins/users can be allowed to turn off protection for system maintenance tasks

•          Override can be set to allow/disallow changes to SCSP

–      High speed network protection designed for servers - lower system impact

–      Broader platform coverage

•          Windows NT to Windows 2003

•          Solaris and Linux protection

 

•          Detection

–      User-mode monitoring/auditing features

•          SCSP’s does not require a kernel mode driver (i.e. less invasive, no reboot)

–      Monitoring policy types

•          Registry monitoring – registry key change detection

•          File monitoring - File and directory change detection

–        Includes file diff to identify configuration file changes

–        Checksum monitoring to identify changes that may have occurred while the application was off (e.g. booted from a disk)

•          Event log and syslog monitoring – find system, security and application events, such as user logons, privilege escalation, etc.

•          Text log monitoring – find events from application or other text logs

–      Reoccurance –

•          Multiple events within specific time frames

•          e.g. X logon failures within Y minutes or logon followed by user rights change

–      Remote monitoring of other systems’s events (e.g. mainframe)

–      Run actions in response to detected events

•          Kill user session,

•          Terminate process,

•          Run a script/application

Comments 3 CommentsJump to latest comment

AR Sharma's picture

Thanks for share!

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

0
Login to vote
yang_zhang's picture

Good article.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
0
Login to vote